Mercor, a San Francisco-based startup that supplies training data to major artificial intelligence companies, confirmed in April 2026 that it was the victim of a security breach that may have exposed sensitive company and user data. The three-year-old company, valued at $10 billion, recruits experts in medicine, law, and other fields to improve AI models, and counts Anthropic, OpenAI, and Meta among its customers.
The incident was linked to a supply-chain attack on LiteLLM, a widely used open-source library that connects applications to AI services. According to security firm Snyk, a hacking group known as TeamPCP planted malicious code in the library, which is typically downloaded millions of times per day. The code was designed to harvest credentials and spread across the industry before it was identified and removed.
Mercor told Fortune it was "one of thousands of companies" affected by the attack. Spokesperson Heidi Hagberg said the company had "moved promptly" to contain and remediate the incident and that a third-party forensic investigation was underway. "The privacy and security of our customers and contractors is foundational to everything we do at Mercor," Hagberg said.
The extortion group Lapsus$ later claimed responsibility for accessing Mercor's data, publishing samples on its leak site that appeared to include Slack data, internal ticketing information, and videos of interactions with Mercor's AI systems. The group claims to hold as much as four terabytes of data, including source code and database records. Security researchers warn the LiteLLM compromise may trigger a broader wave of extortion attempts across the AI industry.
Source: Fortune -- https://fortune.com/2026/04/02/mercor-ai-startup-security-incident-10-billion/